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Capital One’s Current Environment and Structure 


e 2012 - Capital One owned and maintained 8 data centers 

e Current day: 3 data centers remain and our shift to Co-locations is in 
full swing 

e We are working to migrate Capital One infrastructure into the Cloud 

e Focus: ensuring new assets spun up in the cloud are secure and free 
of Vulnerabilities and meeting configuration compliance requirements 
as defined by the CIS Benchmarks 
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Machine Shop: Baseline AMI Production 


e Machine shop: centralized team that controls gold images that all EC2 
hosts are provisioned from. 


e Machine shop creates new AMIs 
e Includes both Linux and Windows flavors 
e Qualys scanner baked into AMIs 
e Removes security team from equation for DevOps 
e Automate vulnerability and compliance scans with APIs 
e Machine builders took ownership of certification process 
e Security team provides high-level oversight 
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Before: Lack of Security Automation Delays Release 
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At least two weeks until the AMI is certified for production 
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Introduce Security at the Source 


Bake Qualys Security into AMIs 
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Movement to the Cloud and Containers in AWS 


e Cyber goals: enable the business, safeguard the business, undergo 
data transformation 
e With the migration to the cloud, Capital One has encountered unique 
security challenges 
e Open Source- knowing where to pull the blessed versions of software from 
e Knowing what versions of software are in the real-time instances being spun up 
sm Middleware- testing and compatibility with legacy applications 


m The Qualys Agent reports out more instantaneous results on software versions and 
vulnerabilities in the pre-production software development process 
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Shifting Left: 
You Build It, You Own It, You Secure It 


e This movement is part of Capital One’s journey towards achieving a true 
DevOps culture in building and maintaining software 


e Developing a more proactive approach to remediation 
e Working to resolve issue in the build pipeline while applications are in development 
e Automating processes so it’s as easy and consumable as possible for engineers 
e DevOps teams are responsible for ensuring their application remains 
secure 
e Middleware patches are not included in the gold images from the Machine shop 
e Java patching is driven by the application teams 


e Rehydration alone is not enough 
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Best Practices for Developers at Capital One 


e Utilize a single-source of truth for software 
e Navigate to one centralized location to view and pull software 


e Keep software current 
e Ensure teams are pulling the latest versions 


e Patch using a 60 day rehydration cycle 
e In addition to AMI rehydration, make sure middleware is being patched with the latest 
version of software available- at a minimum every 60 days 


e Leverage enterprise vulnerability scanning tools to scan your images 


and containers 
e Utilize the Qualys agent and Qualys self service Ad-Hoc Portal 
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Vulnerability Reporting at Capital One 


e Leverage an external vulnerability management tool 
e Ingestion of Qualys data to tool 
e Prioritization of vulnerabilities for remediation 
e Asset prioritization: aging, threat posture, regulatory compliance, environment/ attack 
surface 


e Emphasis on education 
e Internal trainings and certification for secure software engineering 
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A more comprehensive vulnerability and compliance 
management view, enterprise wide 


Near real-time vulnerability identification 
e Helps with remediation and prioritization based on aged vulnerabilities 
e Dramatic reduction of vulnerabilities within the enterprise 


Near real-time misconfiguration detection of CIS benchmarks 


Qualys cloud agents extend coverage & provide continuous assessment 
e Asset discovery and better ServiceNow data integrity 


Continuous training for software engineers 
Seamless API integration to manage scans and reporting 
Overall cost savings 
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Questions?? 
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